I am getting the following error when trying to get a certificate for my whitelisted dyndns domain xxxxx.no-ip.biz:
Error: rateLimited :: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: no-ip.biz
I am sure that the rate limit applies as the chances of 6 people having certificates for their *.no-ip.biz domains is pretty high, and most probably not a sign of misuse…
So could you lessen the rate limit for dyndns domains, maybe starting with no-ip.biz? That would help;-)
Thanks for the great service and hope you can help.
Let’s Encrypt uses the public suffix list to resolve TLDs for rate limiting. Dynamic DNS providers can request to be added to this list. See the following link for more details.
I the list (https://publicsuffix.org/learn/) is also used for blocking cookies in Firefox/Chrome so there is an good reson that companys do not like to be on the list.
apparently noip does not want to be on this list (see tlussnig’s reply), so there really would be only one way for me to resolve the issue: letsencrypt would have to whitelist the no-ip.biz domain.
The real question is: is letsencrypt willing to do so?
No-IP has requested to be added here, so this should be solved soon enough. I don’t believe Let’s Encrypt should implement a separate whitelist for this use-case when there’s already an established process.
I imagine dynamic DNS providers which do not wish to get added for whatever reason won’t do too well in a market with plenty of free alternatives once TLS becomes de-facto mandatory, so this should be just a matter of time.
noip.me is not on the public_suffix_list.dat as of 2015-12-11 12:44PM.
And LetsEncrypt does show the following: There were too many requests of a given type :: Error creating new cert :: Too many certificates already issued for: noip.me
How does that apply to renewals? Is there a risk that someone who has a valid cert for one subdomain could find themselves unable to renew it because people requesting new certs for other subdomains have beaten them to it?
Yep, this applies to renewals as well (which isn’t really different from a “normal” certificate issuance from the server’s perspective). I wouldn’t recommend using this on a domain not listed on the public suffix list if your service is critical. For all other domains, the 7 day rate limit window together with the recommended 2 month renewal period should include enough buffer (1 month) in case you accidentally hit the rate limit on your first or second try.
I contacted noip support today and (with a lot of patience and kindness) they pointed me to the fact that they made a pull request to put their domains on the publicsuffixes list on December 4. However, the list of domains to be added is quite extensive and the people from publicsuffixes need time to verify the list so please be patient.
I sent an email to the guy at afraid.org asking him to please submit their domains to the public suffix list. This should fix the problem with mooo.com (which i experienced today as well when trying to renew my certificate after the first 60 days…)
EDIT: I also have seen that there is a pull request open (not from the owner of afraid.org) to add all their domains to the public suffix list at https://github.com/publicsuffix/list/pull/79
The admins of the PSL seem however not to eager to merge it in…
I just pinged the issue since it wasn’t really clear what timeline we were talking about. Based on the latest response, it sounds like not weeks, or months, but rather year(s). I had been waiting around since November thinking any day the domains would be added, so I know to stop checking now.
